Oracle Linux 6139 Published by

New Ksplice updates for UEKR6 5.4.17 on Oracle Linux 7 and 8 are available.



El-errata: New Ksplice updates for UEKR6 5.4.17 on OL7 and OL8 (ELSA-2023-12119)


Synopsis: ELSA-2023-12119 can now be patched using Ksplice CVEs:
CVE-2022-3169 CVE-2022-3435 CVE-2022-3545 CVE-2022-3623 CVE-2022-4139
CVE-2022-42329 CVE-2022-42896

Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2023-12119.
More information about this errata can be found at
  https://linux.oracle.com/errata/ELSA-2023-12119.html

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack running UEKR6 5.4.17 on
OL7 and OL8 install these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y

DESCRIPTION

* CVE-2022-42896: Use-after-free in Bluetooth L2CAP.

A flaw in Bluetooth L2CAP protocol when accepting incoming connection
requests could lead to a use-after-free. A remote attacker could use
this flaw for a denial-of-service or for privilege escalation.

* CVE-2022-4139: Information disclosure in Intel HD Graphics Driver.

A flaw in Intel HD Graphics Driver when flushing translation lookaside
buffers could allow access to physical memory which might be already
assigned to a different process. A local user could use this flaw for
denial-of-service or information disclosure.

* CVE-2022-3545: Use-after-free in Netronome Flow Processor Ethernet driver.

A logic flaw in error handling in Netronome Flow Processor Ethernet
driver could result in a use-after-free. A local attacker could use this
flaw for a denial-of-service or code execution.

* CVE-2022-42329: Denial-of-service in Xen Netback driver.

A logic flaw in Xen Netback driver when trying to free the SKB of
a dropped packet in some situations could result in a deadlock.
A local user could use this flaw for a denial-of-service.

* CVE-2022-3169: Denial-of-service in NVM Express block device.

A flaw in ioctls of NVM Express block device could result in PCIe link
disconnect. A local user could use this flaw for a denial-of-service.

* CVE-2022-3435: Information disclosure in IPv4.

A flaw in ioctls of IPv4 could result in out-of-bounds read access.
A local user could use this flaw for information disclosure.

* CVE-2022-3623: Information disclosure in HugeTLB file system support.

A flaw in HugeTLB file system support when looking up a hugetlb page in
some situations could lead to a race condition. A local user could use
this flaw to cause a denial-of-service or information disclosure.

* Data corruption when trimming extents on XFS filesystem.

Freed extents are marked busy from the point the freeing transaction
commits until the associated CIL context is checkpointed to the log.
This prevents reuse and overwrite of recently freed blocks before
the changes are committed to disk, which can lead to corruption after
a crash.

Orabug: 34944365

SUPPORT

Ksplice support is available at ksplice-support_ww@oracle.com.


_______________________________________________